User agent code injection

Member

Posts:Location:Joined: 01.01.70 Rank: Guest

Posted on 04-03-11 05:06

I remember reading a post a while back about injecting code through your user agent, but the OP wasn't sure how, and the other day I realized a lot of sites that tell you your IP address also tell you your browser name.
As it turns out, most of the sites I checked executed the script I put in the user agent string.
Amusingly, when I searched for sites that detect what browser you're using, they mostly seemed pretty well sanitized, which seemed a bit backwards...
Does anyone know if this is the only place this could be useful (if that even qualifies as useful), or does code injection through a user agent have any real applications?

Author

RE: User agent code injection

User agent injection can be used in 2 places mainly...
1- if the webpage or script stores data into a database.
2- if some logs ae kept in html format or stored in a file the displayed in an html page.

the best thing in order to check if a scripts does not handle that very good is to download the script source and check what kind of filtering and storing it does with the user agent.

also another good thing that some devs miss filtering is refferer, as some scripts do store what pages or urls sent you to the website.

as said before, download the script and see what filtering applies.

Hellbound Hackers is the collective work of the staff and the community and is therefore licensed under the CC BY-NC-SA license.